In one of my work i need to build a feature for users to upload videos. i m creating a directory if not exists for that user and storing videos into it. I did directory listing off in .htaccess file so in this case no one can access files listing directly from url.
But when anyone can play that uses video, embed code is generated and in that path is also displayed for that video. When i copy and paste that path in url , video gets downloaded. i want to prevent it from directly accessing? can anyone has a solution for the same?
https://tn123.org/mod_xsendfile/
I use this
You can store your video files not in DOCUMENT_ROOT directory and provide access through the program.
Something like this: http://test.com/watch.php?video_id=blahblablah , like Youtube
Related
I have made a site with Codeigniter and users have options to upload their photos there. As the photos are personal, I think keeping them on web directory is not safe. As a result, I kept them on a root directory like /var/www/images directory. Now, how I can get the images in a webpage?
Wrong Choice dear learner. you images folder needs to be accessible by your code and to the browser to render that image by the image path. For example
This is the image directory of my project. I am using all these images in different pages of my website. Some are selected dynamically by my code.
Now in your case by putting images in www folder, you are making a path of http://images/ which is not recommended by any PHP guidelines. Your images folder should be in your project root not outside.
If you want to disable folders to be viewed, just add empty index.html file, but if you try to protect images from being viewed then your website wont be able to find them too image protection in codeigniter
The code will be as safe as you make it. Well what you are doing is fine, the web server will still have to access the images.
While ignoring the rest of your code or what yo are trying to achieve, you could try referencing the images fro your webroot or probably create a symlink.
Also, I would try to put the images in another place like AWS.
If security is a concern for you, you can try building a ImagesController that checks if image exists, if user has permissions to see it and after that render it.
Uploaded images should also have some reference row inside a table in your database that can have a column which specifies if it should be public (also try to sort them to folders depending on what it represents - user profile pics, product images, etc).
I know it's a little bit of work but this would be the way I would do it.
You can check online for examples of controllers that return an image.
Good luck on your project.
I've found several answers to this question, but each case was different from mine. Before I spend hours implementing what I think will work, I'd like to get an opinion or two. Who knows, there may be an easier solution that will benefit someone else too!
I'm in the process of creating a website which provides a photo modification service. Each of my customers will be uploading their photos using a modified version of a jQuery/PHP upload script I found on Github (BlueImp's File Upload script- props BlueImp!) When each image is done uploading, a thumbnail of the image is displayed next to the image's filename.
The upload page creates a folder based on their Order #, and a thumbnail subfolder where the images are stored. For example, for Order # 12345:
/uploads/12345 <- Folder where the uploaded images will go
/uploads/12345/thumbs <- Folder where thumbnails will be served from
It's important that clients don't access other clients' photos. I moved the uploads folder outside of my website root, but then the thumbnails weren't displaying when the images finished uploading because, well, they weren't in the website root so the links weren't working.
Here's a solution I thought of:
Separate the folders. Move the main upload folder outside of the document root, but leave the thumbnail folder inside the doc root, so the thumbnails can be served up when each upload completes. When the user has finished uploading their images, delete the thumbnail folder corresponding to that Order #.
Is there a better way to do it? My concern is preventing access to photos (A client will only have to upload them once, then wait for us to finish the modifications. They will NOT have to log back in to download them.) I don't want someone to be able to access the upload folder via the address bar or anywhere else. Can I use an .htaccess file to restrict access, but still allow for linking to the thumbnail images via the upload script?
I apologize for the wordy question. I tried to be as succinct as my limited knowledge of programming would allow. Thank you in advance for your time and effort in helping with this.
two way around
Write a blank index.html on each directory, which will prohibit to access files.
Write below in .htaccess ( if not exist then create this file )
Options -Indexes
OR If you want NO ENTRY outside of the LAN
# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0.0 to 192.168.0.24
Reference
One more
You want to show the thumbs to each owner customers but not to others?
knowing the Order number (is sequenziell) you can easily try some links and see some photos.
I suggest to use a .htaccess to password the upload folder and to generate a hash number for every thumb that you have to attribute to the order number.
A second solution: password with a .htaccess the upload folder and generate a thumb when you generate the order confirmation page without saving the thumb. (he has to see it only once as you mention).
have fun!
Two things that you should do are:
Disable directory indexing.
Always keep the file names random. Map them using the database. i.e file1.jpg->file_af324234324324ff . You can also store the thumbnail file information in the same table.
I am using the TimThumb script (http://code.google.com/p/timthumb/). My images links are generated like this: http://website.com/pics/nature/animals/bear.png and this works great but I can't seem to use TimThumb like this: http://website.com/resize.php?src=http://website.com/pics/nature/animals/bear.png&h=150&w=150, it says Could not find the internal image you specified. I believe this is because my images are brought from a folder by slug names (bear.png). The folder's images are named by the ID of the image so there is no bear.png on the server, my application is using slugs to search the DB and bring up the real name of the picture but it loads the image upon this link: http://website.com/pics/nature/animals/bear.png. If I give my resize.php script a link from flickr it works great.
BTW, resize.php is the actual TimThumb script.
Any ideas ? Thanks !
Dont use a local path, enter the full URL for timthumb just like you did with flickr
In my website people can upload their photos. And I show them. Is it possible, that they would not be able to see url where that image is?
Photos are shown like this <img src="http://mywebsite.com/my_images/image_name.gif" />. What I want to do, that people couldn't see that src link. Is there any way to show photos from that directory without exposing directory name?
Thanks.
There isn't, but you can use URL rewriting (apache's mod_rewrite or a custom PHP script to serve the images) to hide the actual location on your web server.
For example for the latter approach you coud have a serveimage.php on the server, which is called like serveimage.php?file=file1.jpg.
You can call another php-script via <img src="..."> the script loads the image and generates it. This FAQ entry should help.
In my project, user will upload videos. So i have done simple code to check video file extension and moved to a particular folder. now problem is that only registered user can see that video. So i decided to check session while loading page which contain player to play video. but in view-source option , video file url available. so then can see that video using that url. now i need to check session before accessing that video folder. or is it possible to store video files in DB?
thanks in advance..
It is insane, you need to make a rewrite or something like this video.php?id=blablabla, a then check if user is logged in, if he is, play (readfile) video. What type of file is it?
$id = $_GET["id"];
if($session == true)
{
header("Content-type: video/flv");
readfile("my/secret/path/".$id);
}
everything that's shown for a user can always be copied and spread, but one way to prevent it from a more regular user would be using a php that reads an id/hash(basicaly a key of some sort) that is related to an video and then loads the video through file_read and outputs it.
store key and then the real url in a database then query the id to get the real url and then use a file reading function for example to stream it
the function could be fopen, fgets or something similiar